b'                                                     U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                           OFFICE OF THE INSPECTOR GENERAL\n                                                                            OFFICE OF AUDITS\n\n\n\n\n                                   Final Audit Report\n\nSubject:\n\n\n AUDIT OF THE INFORMATION TECHNOLOGY\n         SECURITY CONTROLS OF THE\n U.S. OFFICE OF PERSONNEL MANAGEMENT\xe2\x80\x99S\nINVESTIGATIONS, TRACKING, ASSIGNING AND\n            EXPEDITING SYSTEM\n                   FY 2014\n                                           Report No. 4A-IS-00-14-017\n\n\n                                                                 April 3, 2014\n\n\n\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                                       Audit Report\n\n                              U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                -------------------------------------------------------------\n                 AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                    CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n                MANAGEMENT\xe2\x80\x99S INVESTIGATIONS, TRACKING, ASSIGNING\n                              AND EXPEDITING SYSTEM\n                                           FY 2014\n                                --------------------------------\n                                  WASHINGTON, D.C.\n\n\n\n\n                                          Report No. 4A-IS-00-14-017\n\n\n                                           Date:                04/03/14\n\n\n\n\n                                                                                     Michael R. Esser\n                                                                                     Assistant Inspector General\n                                                                                       for Audits\n\n                                                          --CAUTION--\nThis audit report has been distributed to Federal officials who are responsible for the administration of the audited program. This audit\nreport may contain proprietary data which is protected by Federal law (18 U.S.C. 1905). Therefore, while this audit report is available\nunder the Freedom of Information Act and made available to the public on the OIG webpage, caution needs to be exercised before\nreleasing the report to the general public as it may contain proprietary information that was redacted from the publicly distributed copy.\n\x0c                                    Executive Summary\n\n                      U.S. OFFICE OF PERSONNEL MANAGEMENT\n                       -------------------------------------------------------------\n             AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n                CONTROLS OF THE U.S. OFFICE OF PERSONNEL\n            MANAGEMENT\xe2\x80\x99S INVESTIGATIONS, TRACKING, ASSIGNING\n                          AND EXPEDITING SYSTEM\n                                       FY 2014\n                            --------------------------------\n                              WASHINGTON, D.C.\n\n\n\n\n                               Report No. 4A-IS-00-14-017\n\n\n                               Date:             04/03/14\n\nThis final audit report discusses the results of our audit of the information technology security\ncontrols of the U.S. Office of Personnel Management\xe2\x80\x99s (OPM) Investigations, Tracking,\nAssigning and Expediting (iTRAX) System. Our conclusions are detailed in the \xe2\x80\x9cResults\xe2\x80\x9d\nsection of this report.\n\nSecurity Assessment and Authorization (SA&A)\nAn SA&A of iTRAX was completed in October 2013. We reviewed the authorization package\nfor all required elements of an SA&A, and determined that the package contained all necessary\ndocumentation.\n\nFederal Information Processing Standards (FIPS) 199 Analysis\nThe security categorization of iTRAX appears to be consistent with FIPS 199 and National\nInstitute of Standards and Technology (NIST) Special Publication (SP) 800-60 requirements, and\nwe agree with the categorization of \xe2\x80\x9chigh.\xe2\x80\x9d\n\nSystem Security Plan (SSP)\nThe iTRAX SSP contains the critical elements required by NIST SP 800-18 Revision 1.\n                                                    i\n\x0cSecurity Assessment Plan and Report\nA security control assessment plan and report were completed in June and October 2013 for\niTRAX as a part of the system\xe2\x80\x99s SA&A.\n\nSecurity Control Self-Assessment\nFederal Investigative Services ensures that annual security control self-assessments are\nconducted in accordance with OPM policy.\n\nContingency Planning and Contingency Plan Testing\nA contingency plan was developed for iTRAX that is in compliance with NIST SP 800-34\nRevision 1 and is tested annually.\n\nPrivacy Impact Assessment (PIA)\nA privacy threshold analysis was conducted for iTRAX and indicated that a PIA was required.\nA PIA was conducted in June 2013.\n\nPlan of Action and Milestones (POA&M) Process\nThe iTRAX POA&M follows the format of the OPM POA&M guide, and has been routinely\nsubmitted to the OCIO for evaluation.\n\nNIST SP 800-53 Revision 3 Evaluation\nWe evaluated the degree to which a subset of the IT security controls outlined in NIST SP 800-\n53 Revision 3 was implemented for iTRAX. We determined that several controls could be\nimproved.\n\n\n\n\n                                                ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\nExecutive Summary ......................................................................................................................... i\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n     I. Security Assessment and Authorization ................................................................................4\n    II. FIPS 199 Analysis .................................................................................................................4\n   III. System Security Plan ............................................................................................................4\n  IV. Security Assessment Plan and Report ...................................................................................5\n    V. Security Control Self-Assessment .........................................................................................5\n  VI. Contingency Planning and Contingency Plan Testing ...........................................................6\n VII. Privacy Impact Assessment ...................................................................................................6\nVIII. Plan of Action and Milestones Process ..................................................................................7\n  IX. NIST SP 800-53 Revision 3 Evaluation ................................................................................7\nMajor Contributors to this Report ..................................................................................................11\n  Appendix: Federal Investigative Services\xe2\x80\x99 February 19, 2014 response to the draft audit\n            report, issued January 28, 2014\n\x0c                                         Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we audited the information technology (IT)\nsecurity controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Investigations,\nTracking, Assigning and Expediting (iTRAX) System.\n\n                                         Background\niTRAX is one of OPM\xe2\x80\x99s critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perform an audit of IT security controls of this system, as well as all of\nthe agency\xe2\x80\x99s critical systems, on a rotating basis.\n\nThe iTRAX web-based application is designed to support delivery of services to the Federal\nInvestigative Service (FIS), which is responsible for delivery of investigative products and\nservices that ensure federal agencies have the data needed on which to base determinations of\neligibility for a security clearance or suitability for employment in sensitive positions. The\nsystem is operated and hosted by an OPM contractor, CACI, on behalf of FIS.\n\nThis was our first audit of the security controls surrounding iTRAX. We discussed the results of\nour audit with FIS representatives at an exit conference.\n\n                                          Objectives\nOur objective was to perform an evaluation of the security controls for iTRAX to ensure that FIS\nofficials have managed the implementation of IT security policies and procedures in accordance\nwith standards established by FISMA, the National Institute of Standards and Technology\n(NIST), the Federal Information System Controls Audit Manual (FISCAM) and OPM\xe2\x80\x99s Office of\nthe Chief Information Officer (OCIO).\n\nOPM\xe2\x80\x99s IT security policies require owners of all major information systems to complete a series\nof steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2) authorize the\nsystem for operations. The audit objective was accomplished by reviewing the degree to which a\nvariety of security program elements have been implemented for iTRAX, including:\n\n\xe2\x80\xa2   Security Assessment and Authorization;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   Risk Assessment;\n\xe2\x80\xa2   System Security Plan;\n\xe2\x80\xa2   Security Assessment Plan and Report;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n                                                 1\n\x0c\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (SP) 800-53 Revision 3 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of FIS officials\nresponsible for iTRAX, including IT security controls in place as of December 2013.\n\nWe considered the iTRAX internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of OPM\xe2\x80\x99s FIS and CACI\nemployees with iTRAX security responsibilities. We reviewed relevant OPM IT policies and\nprocedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate, we\nconducted compliance tests to determine the extent to which established controls and procedures\nare functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of\niTRAX are located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily\ndisclose all significant matters in the internal control structure, we do not express an opinion on\nthe iTRAX system of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\n\xe2\x80\xa2   OPM Information Security Privacy and Policy Handbook;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   The Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments;\n\xe2\x80\xa2   NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems;\n\xe2\x80\xa2   NIST SP 800-37 Revision 1, Guide for Applying Management Framework to Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems and Organizations;\n\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xe2\x80\xa2   NIST SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and\n    Capabilities;\n\n                                                 2\n\x0c\xe2\x80\xa2   Federal Information Processing Standards Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from November 2013\nthrough January 2014 in CACI\xe2\x80\x99s Chantilly, Virginia facility and OPM\xe2\x80\x99s Washington, D.C.\noffice. This was our first audit of the security controls surrounding iTRAX.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether FIS management of iTRAX is\nconsistent with applicable standards. Nothing came to our attention during this review to\nindicate that FIS is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                               Results\n I. Security Assessment and Authorization\n    A Security Assessment and Authorization (SA&A) of iTRAX was completed in October 2013.\n\n    OPM\xe2\x80\x99s Chief Information Security Officer reviewed the iTRAX SA&A package and signed the\n    system\xe2\x80\x99s authorization letter on October 28, 2013. The system\xe2\x80\x99s authorizing official signed the\n    letter and authorized the continued operation of the system on October 30, 2013.\n\n    NIST SP 800-37 Revision 1 \xe2\x80\x9cGuide for Applying Management Framework to Federal\n    Information Systems,\xe2\x80\x9d provides guidance to federal agencies in meeting security accreditation\n    requirements. The iTRAX SA&A appears to have been conducted in compliance with NIST\n    requirements.\n\nII. FIPS 199 Analysis\n    Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems, requires federal agencies to\n    categorize all federal information and information systems in order to provide appropriate levels\n    of information security according to a range of risk levels.\n\n    NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information Systems\n    to Security Categories, provides an overview of the security objectives and impact levels\n    identified in FIPS Publication 199.\n\n    The iTRAX FIPS 199 Security Categorization Template analyzes information processed by the\n    system and its corresponding potential impacts on confidentiality, integrity, and availability.\n    iTRAX is categorized with a high impact level for confidentiality, moderate for integrity, low for\n    availability, and an overall categorization of \xe2\x80\x9chigh.\xe2\x80\x9d\n\n    The security categorization of iTRAX appears to be consistent with FIPS 199 and NIST SP 800-\n    60 requirements, and we agree with the categorization of \xe2\x80\x9chigh.\xe2\x80\x9d\n\nIII. System Security Plan\n    Federal agencies must implement on each information system the security controls outlined in\n    NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems\n    and Organizations. NIST SP 800-18 Revision 1, Guide for Developing Security Plans for\n    Federal Information Systems, requires that these controls be documented in a System Security\n    Plan (SSP) for each system, and provides guidance for doing so.\n\n    The SSP for iTRAX was created using the template outlined in NIST SP 800-18 Revision 1. The\n    template requires that the following elements be documented within the SSP:\n\n    \xe2\x80\xa2   System Name and Identifier;\n    \xe2\x80\xa2   System Categorization;\n    \xe2\x80\xa2   System Owner;\n                                                    4\n\x0c    \xe2\x80\xa2   Authorizing Official;\n    \xe2\x80\xa2   Other Designated Contacts;\n    \xe2\x80\xa2   Assignment of Security Responsibility;\n    \xe2\x80\xa2   System Operational Status;\n    \xe2\x80\xa2   Information System Type;\n    \xe2\x80\xa2   General Description/Purpose;\n    \xe2\x80\xa2   System Environment;\n    \xe2\x80\xa2   System Interconnection/Information Sharing;\n    \xe2\x80\xa2   Laws, Regulations, and Policies Affecting the System;\n    \xe2\x80\xa2   Security Control Selection;\n    \xe2\x80\xa2   Minimum Security Controls; and\n    \xe2\x80\xa2   Completion and Approval Dates.\n\n    We reviewed the iTRAX SSP and determined that it adequately addresses each of the elements\n    required by NIST.\n\nIV. Security Assessment Plan and Report\n    A Security Assessment Plan (SAP) and Security Assessment Report (SAR) were completed for\n    iTRAX in June and October 2013 as a part of the system\xe2\x80\x99s SA&A process. The SAP and SAR\n    were completed by a contractor that was operating independently from FIS and CACI. We\n    reviewed the documents to verify that a risk assessment was conducted in accordance with NIST\n    SP 800-30 Revision 1, Guide for Conducting Risk Assessments. We also verified that\n    appropriate management, operational, and technical controls were tested for a system with a\n    \xe2\x80\x9chigh\xe2\x80\x9d security categorization according to NIST SP 800-53 Revision 3.\n\n    The SAP outlined the assessment approach and test methods. The SAR identified 25 control\n    weaknesses; 18 of those weaknesses were immediately remediated, and the remaining\n    weaknesses were added to the iTRAX Plan of Action & Milestones (POA&M). A risk rating\n    was applied to each weakness to determine the potential impact of exploitation.\n\n    We also reviewed the Security Assessment results table that contained the detailed results of the\n    NIST SP 800-53 Revision 3 controls testing. The table indicated that five controls were not fully\n    satisfied. These controls were appropriately documented in the system POA&M for tracking.\n\n    Nothing came to our attention to indicate that the security controls of iTRAX have not been\n    adequately tested by an independent source.\n\nV. Security Control Self-Assessment\n    OPM requires that the IT security controls of each contractor-operated system be tested on an\n    annual basis. In the years that an independent assessment is not being conducted on a system as\n    part of an SA&A, the system\xe2\x80\x99s owner must ensure that annual controls testing is performed by a\n    government employee or an independent third party (i.e., the contractor operating the system\n    should not act as the assessor).\n\n\n\n                                                   5\n\x0c     We reviewed the iTRAX security control tests for the past three years, and nothing came to our\n     attention to indicate that the security controls of iTRAX have not been adequately tested.\n\n     A fourth revision to NIST SP 800-53 was published in April 2013, and agencies are allowed one\n     year to implement any new or modified NIST guidance. We informed FIS that they must\n     conduct an analysis to determine if testing modifications are necessary to comply with NIST SP\n     800-53 Revision 3 for the fiscal year 2014 security controls test.\n\nVI. Contingency Planning and Contingency Plan Testing\n     NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems,\n     states that effective contingency planning, execution, and testing are essential to mitigate the risk\n     of system and service unavailability. OPM\xe2\x80\x99s security policies require all major applications to\n     have viable and logical disaster recovery and contingency plans, and that these plans be annually\n     reviewed, tested, and updated.\n\n     Contingency Plan\n     The iTRAX contingency plan documents the functions, operations, and resources necessary to\n     restore and resume iTRAX operations when unexpected events or disasters occur. The iTRAX\n     contingency plan adequately follows the format suggested by NIST SP 800-34 Revision 1 and\n     contains the required elements.\n\n     Contingency Plan Test\n     NIST SP 800-34 Revision 1 provides guidance for testing contingency plans and documenting\n     the results. Contingency plan testing is a critical element of a viable disaster recovery capability.\n\n     A tabletop test of the iTRAX contingency plan was conducted by CACI officials in August 2013.\n     The test involved documenting and discussing the recovery process for the iTRAX system. The\n     testing documentation contained an analysis and review of the results. While the overall FIPS\n     199 security categorization of iTRAX is \xe2\x80\x9chigh,\xe2\x80\x9d the availability category is \xe2\x80\x9clow.\xe2\x80\x9d NIST SP\n     800-34 Revision 1 states that tabletop exercises are sufficient testing for systems with a \xe2\x80\x9clow\xe2\x80\x9d\n     availability categorization.\n\nVII. Privacy Impact Assessment\n     FISMA requires agencies to perform a screening of federal information systems to determine if a\n     Privacy Impact Assessment (PIA) is required for that system. OMB Memorandum M-03-22\n     outlines the necessary components of a PIA. The purpose of the assessment is to evaluate any\n     vulnerabilities of privacy in information systems and to document any privacy issues that have\n     been identified and addressed.\n\n     FIS completed an initial privacy screening or Privacy Threshold Analysis of iTRAX and\n     determined that a PIA was required for this system. A PIA was completed in June 2013 and\n     approved by the system owner and CIO.\n\n\n\n\n                                                       6\n\x0cVIII. Plan of Action and Milestones Process\n      A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and monitoring\n      the progress of corrective efforts for IT security weaknesses. OPM has implemented an agency-\n      wide POA&M process to help track known IT security weaknesses associated with the agency\xe2\x80\x99s\n      information systems.\n\n      We evaluated the iTRAX POA&M and verified that it follows the format of OPM\xe2\x80\x99s standard\n      template and has been loaded into Trusted Agent, the OCIO\xe2\x80\x99s POA&M tracking tool, for\n      evaluation. We determined that the weaknesses discovered during the SA&A security\n      assessment were appropriately included in the POA&M. Nothing came to our attention to\n      indicate that there are any current weaknesses in the management of the iTRAX POA&M.\n\n IX. NIST SP 800-53 Revision 3 Evaluation\n      NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems\n      and Organizations, provides guidance for implementing a variety of security controls for\n      information systems supporting the federal government. As part of this audit, we independently\n      evaluated whether a subset of these controls had been implemented for the iTRAX. We tested\n      approximately 55 security controls that were identified as being system-specific or a hybrid\n      control. We tested one or more controls from each of the following control families:\n\n      \xe2\x80\xa2   Access Control                              \xe2\x80\xa2   Media Protection\n      \xe2\x80\xa2   Awareness and Training                      \xe2\x80\xa2   Planning\n      \xe2\x80\xa2   Audit and Accountability                    \xe2\x80\xa2   Personnel Security\n      \xe2\x80\xa2   Security Assessment and Authorization       \xe2\x80\xa2   Risk Assessment\n      \xe2\x80\xa2   Configuration Management                    \xe2\x80\xa2   System and Services Acquisition\n      \xe2\x80\xa2   Contingency Planning                        \xe2\x80\xa2   System and Communication Protection\n      \xe2\x80\xa2   Identification and Authorization            \xe2\x80\xa2   System and Information Integrity\n\n      These controls were evaluated by interviewing individuals with iTRAX security responsibilities,\n      reviewing documentation and system screenshots, viewing demonstrations of system capabilities\n      and conducting tests directly on the system.\n\n      We determined that all tested security controls appear to be in compliance with NIST SP 800-53\n      Revision 3 requirements with the following exceptions:\n\n      1. Control AC-5 \xe2\x80\x93 Separation of Duties\n          During interviews with subject matter experts we were informed that CACI application\n          developers have access to the iTRAX production environment and have administrator\n          privileges within the back-end software platform, Serena Business Manager. This situation\n          constitutes a segregation of duties violation.\n\n          NIST SP 800-53 Revision 3 states that organizations should separate duties of individuals as\n          necessary, to prevent malevolent activity without collusion, document separation of duties,\n          and implement separation of duties through assigned information system access\n\n                                                      7\n\x0c   authorizations. Failure to ensure separation of duties increases the risk that the application\n   developers could make unauthorized or malicious modifications to the iTRAX application.\n\n   Recommendation 1\n   We recommend that FIS ensure that proper separation of duties is maintained within iTRAX\n   and the back-end software platform.\n\n   FIS Response:\n   \xe2\x80\x9cFIS agrees with the recommendation and has taken action to resolve the issue prior to the\n   report\xe2\x80\x99s finalization. The iTRAX Development Team has been segregated into two groups\n   to meet separation of duties requirements. Administrative privileges have been removed\n   for all Developers except the Serena Development Team Lead (normally not involved in\n   actual code development). The Serena Development Team Lead will be added to the\n   Configuration Control Board (CCB) and will coordinate with approval procedures,\n   internally review all code created on the development environment prior to production\n   approval, and orchestrate periodic and planned iTRAX software updates to the production\n   server. The supporting evidence has been supplied in the Post-Exit Brief Submission\n   package.\xe2\x80\x9d\n\n   OIG Reply:\n   The evidence provided by FIS in response to the draft audit report indicates that adequate\n   segregation of duties has been implemented; no further action is required.\n\n2. Control AC-7 \xe2\x80\x93 Unsuccessful Login Attempts\n   iTRAX servers and user workstations are not configured in accordance with OPM security\n   guidelines. User accounts are appropriately configured to automatically lock after an\n   incorrect password has been entered three times. However, the accounts automatically\n   unlock after a predefined period of time; 15 minutes for workstations and 30 minutes for\n   servers.\n\n   The OPM Security and Privacy Policy Handbook requires that \xe2\x80\x9cthe information system\n   automatically locks the account until released by an administrator when the maximum\n   number of unsuccessful attempts is exceeded.\xe2\x80\x9d Failure to enforce these guidelines increases\n   the risk of unauthorized access to the system through a brute force attack.\n\n   Recommendation 2\n   We recommend that FIS ensure that iTRAX server and workstation account lockout settings\n   are modified to comply with OPM policy.\n\n   FIS Response:\n   \xe2\x80\x9cFIS agrees with the recommendation. These requirements are appropriately met in\n   regards to logging into the OPM CISCO VPN and at the iTRAX application interface thru\n   PIV logon. However, the local machine login continues to use user id and password. As a\n   result, the account unlock setting is currently 15 minutes. The iTRAX users are a remote\n\n                                                8\n\x0cworkforce across the country and sending the laptop to a central location for an\nAdministrator to unlock the account (per the OPM policy) is not a feasible option based on\ninvestigation timelines dictated by federal law.\n\nFIS and the iTRAX technical teams have been pursuing internal conversations with OPM\nand other parties to find a proper resolution for PIV authentication on the local endpoints.\nPOA&Ms (POA&Ms # FYI4-QI-ITRAX-03, FY14-QI-ITRAX-04 and FY14-QI-ITRAX-\n05) are already in place regarding the need for PIV authentication of these devices. FIS\nwill provide more detail in the POA&Ms and will accurately reflect the condition in\nTrusted Agent FISMA (TAF).\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that FIS provide OPM\xe2\x80\x99s Internal\nOversight and Compliance (IOC) division with evidence that server and workstation account\nlockout settings are configured in compliance with OPM guidelines.\n\nControl AU-6 \xe2\x80\x93 Audit Review, Analysis, and Reporting\niTRAX servers are configured to record the activity of privileged users (i.e., system\nadministrators). However, the event logs generated by these servers are only reviewed\nretroactively if a problem has been reported or detected, and there is no process in place to\nroutinely review privileged user activity logs. Furthermore, there is no policy or procedure\ndocumenting the process for reviewing audit logs or reporting anomalies.\n\nNIST SP 800-53 Revision 3 requires that an organization \xe2\x80\x9cReviews and analyzes information\nsystem audit records . . . for indications of inappropriate or unusual activity, and reports\nfindings to designated organizational officials. . . .\xe2\x80\x9d\n\nFailure to routinely review elevated user activity increases the risk that malicious activity\ncould go undetected and sensitive information could be compromised.\n\nRecommendation 3\nWe recommend that FIS ensure that a documented process is in place to routinely review\niTRAX privileged user (administrator) activity.\n\nFIS Response:\n\xe2\x80\x9cFIS agrees with the recommendation and has taken action to resolve the issue prior to the\nreport\'s finalization. iTRAX did not have a documented procedure to satisfy this\nrequirement. Logs were monitored on an as needed basis, but no official audit procedure\nexisted for Administrator activity and no official reporting mechanisms were identified or\nutilized. This situation has been resolved with newly introduced policy, procedure and\nreporting documentation. The supporting evidence has been supplied in the Post-Exit\nBrief Submission package.\xe2\x80\x9d\n\n\n\n\n                                              9\n\x0cOIG Reply:\nThe evidence provided by FIS in response to the draft audit report indicates that a policy,\nprocedures, and an event tracking template related to reviewing privileged user activity have\nbeen created. As part of the audit resolution process we recommend that FIS provide IOC\nwith evidence that the template is being utilized in accordance with the new policy and\nprocedures.\n\nControl PE-1 \xe2\x80\x93 Physical and Environmental Protection Policy and Procedures\nAlthough the current employees at CACI facilities have an informal understanding of their\nroles and responsibilities when responding to an emergency, the organization has not\nformally documented emergency response procedures. We were told that CACI is in the\nprocess of collecting and documenting procedures in one centralized repository, but they\nhave not done so at this time.\n\nNIST SP 800-53 Revision 3 requires that an organization have \xe2\x80\x9cA formal, documented\nphysical and environmental protection policy that addresses purpose, scope, roles and\nresponsibilities, management commitment, coordination among organizational entities, and\ncompliance\xe2\x80\x9d and \xe2\x80\x9cFormal, documented procedures to facilitate the implementation of the\nphysical and environmental protection policy and associated physical and environmental\nprotection controls.\xe2\x80\x9d\n\nFailure to establish documented emergency response procedures increases the likelihood that\npersonnel will not know how to respond in emergency situations within the computer room.\n\nRecommendation 4\nWe recommend that FIS ensure that emergency response procedures are formally\ndocumented for CACI facilities.\n\nFIS Response:\n\xe2\x80\x9cFIS agrees with the recommendation and has taken action to resolve the issue prior to the\nreport\'s finalization. FIS would like to specify the CACI facilities in question are\nspecifically those housing the IT infrastructure for the iTRAX system located at the Park\nEast Data Center in Chantilly, Virginia. Emergency response procedures have been\nformally documented and will be attached to the System Security Plan. The supporting\nevidence has been supplied in the Post-Exit Brief Submission package.\xe2\x80\x9d\n\nOIG Reply:\nThe evidence provided by FIS in response to the draft audit report indicates that emergency\nresponse procedures have been formally documented; no further action is required.\n\n\n\n\n                                            10\n\x0c                          Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                    , Group Chief\n\xe2\x80\xa2                       , Auditor-In-Charge\n\xe2\x80\xa2                , IT Auditor\n\n\n\n\n                                              11\n\x0c                                              Appendix \n\n\n                        United States Office of Personnel Management \n\n\n\n\n\n     TO: - - - \xc2\xad\n           ~tems Audits Group\n\n  FROM:\n                               ncr\n           Chief, IT System Security & Access\n           Federal Investigative Services\n\nSUBJECT:   Response to "Draft" Report No. 4A-IS-00-14-017- Dated\xc2\xb7 January 28, 2014\n\n           OIG Recommendation 1:\n           We recommend that FIS ensure that the iTRAX system is subject to a functional disaster\n           recovery test and that the system can be fully recovered at the backup location.\n\n           FIS Response:\n           FIS respectfully disagrees with the OIG recommendation and requests an opportunity for further\n           di scussion on this finding . In August 2013, a full interrupt test and server rebuild was completed\n           for the iTRAX system as identified in the System Security Plan (SSP) dated October 2013. In\n           addition to the actual contingency situation declaration in August, a table top exercise was also\n           completed and with successful results reported.\n\n           FIS would also request and opportunity to discuss the OPM policy on security control seeping\n           guidance. Although the overall system categorization of the iTRAX system is "High", the FIPS\n           199 indicates a " Low" categorization for "Availability". Based on our understandi ng of OPM\n           policy and the requirements identified in NIST 800-34 Revl, we believe tape back-up and plans\n           for relocation to a cold site should fully satisfy the requirement.\n\n           OIG Recommendation 2: \n\n           We recommend that FIS ensure that proper separation of duties is maintained within iTRAX and \n\n           the back-end software platform. \n\n\n           FIS Response:\n           FIS agrees with the recommendation and has taken action to resolve the issue prior to the\n           report\'s finalization . The iTRAX Development Team has been segregated into two groups to\n           meet separation of duties requirements. Administrative privileges have been re moved for all\n           Developers except the Serena Development Team Lead (normally not involved in actual code\n           development). The Serena Development Team Lead will be added to the Configuration Control\n           Board (CCB) and will coordinate with approval procedures, internally rev iew all code created on\n           the development environment prior to production approval, and orchestrate periodic and planned\n           iTRAX software updates to the production server. The supporting evidence has been supplied in\n           the Post-Exit Brief Submission package.\n\x0cOIG Recommendation 3:\nWe recommend that FIS ensure that iTRAX server and workstation account lockout settings\nare modified to comply with OPM policy.\n\nFIS Response:\nFIS agrees with the recommendation. These requirements are appropriately met in regards to\nlogging into the OPM CISCO VPN and at the iTRAX application interface thru PIV logon.\nHowever, the local machine login continues to use user id and password. As a result, the account\nunlock setting is currently 15 minutes. The iTRAX users are a remote workforce across the\ncountry and sending the laptop to a central location for an Administrator to unlock the account\n(per the OPM policy) is not a feasible option based on investigation timelines dictated by federal\nlaw.\n\nFIS and the iTRAX technical teams have been pursuing internal conversations with OPM and\nother parties to find a proper resolution for PIV authentication on the local endpoints. POA&Ms\n(POA&Ms # FY14-Ql-ITRAX-03, FY14-Ql-ITRAX-04 and FY14-Ql-ITRAX-05) are already\nin place regarding the need for PIV authentication of these devices. FIS will provide more detail\nin the POA&Ms and will accurately reflect the condition in Trusted Agent FISMA (TAF).\n\nOIG Recommendation 4:\nWe recommend that FIS ensure that a documented process is in place to routinely review iTRAX\nprivileged user (administrator) activity.\n\nFIS Response:\nFIS agrees with the recommendation and has taken action to resolve the issue prior to the\nreport\'s finalization. iTRAX did not have a documented procedure to satisfy this requirement.\nLogs were monitored on an as needed basis, but no official audit procedure existed for\nAdministrator activity and no official reporting mechanisms were identified or utilized. This\nsituation has been resolved with newly introduced policy, procedure and reporting\ndocumentation. The supporting evidence has been supplied in the Post-Exit Brief Submission\npackage.\n\nOIG Recommendation 5:\nWe recommend that FIS ensure that emergency response procedures are formally documented\nfor CACI facilities.\n\nFIS Response:\nFIS agrees with the recommendation and has taken action to resolve the issue prior to the\nreport\'s finalization. FIS would like to specify the CACI facilities in question are specifically\nthose housing the IT infrastructure for the iTRAX system located at the Park East Data Center in\nChantilly, Virginia. Emergency response procedures have been formally documented and will\nbe attached to the System Security Plan. The supporting evidence has been supplied in the Post\xc2\xad\nExit Brief Submission package.\n\x0c'